Armored Likho is a previously undocumented APT group that Kaspersky linked with medium confidence to an active phishing campaign. Based on circumstantial evidence, it is also referred to as Eagle Werewolf. The campaign primarily targets government agencies and the electric power sector, with confirmed victims in Russia, Kazakhstan, and Brazil. The reporting also states that the group combines financially motivated attacks on private individuals with cyber-espionage operations against organizations. Observed delivery relies on spear-phishing emails themed as official government notices, psychological tests, social programs, humanitarian aid requests, and debt-clearance certificates. Malicious archives contain either NSIS-built EXE droppers or LNK files. In one chain, an EXE dropper launches a decoy application, executes a legitimate file, and injects code into its memory to start a loader. In another, malicious LNK files abuse ZDI-CAN-25373 to conceal command-line parameters and launch obfuscated PowerShell. Loaders then retrieve additional components from GitHub and install the primary payload, BusySnake Stealer. The report notes that first-stage loaders appear AI-generated, with excessive comments and emoji markers. The group’s primary malware in this campaign is BusySnake Stealer, a previously undescribed Python-based Windows stealer obfuscated with PyArmor Pro 9.2.0. BusySnake Stealer establishes persistence via VBScript and scheduled tasks, including newer variants that use the Schedule.Service COM object for stealthier task creation. It runs as a background .pyw process, uses a lock file to prevent duplicate execution, and polls C2 infrastructure including 159.198.41.140. Capabilities described in the reporting include clipboard capture, screenshot collection, file inventorying, document exfiltration, Chromium and Firefox credential theft, cookie theft, OTP secret discovery, cryptocurrency wallet JSON discovery, Telegram Desktop tdata theft, reverse SSH tunneling, and remote access via RustDesk. Newer versions add delayed execution, task-state tracking, and the ability to fetch and execute arbitrary Python scripts in memory after installing dependencies via pip. The attribution to Armored Likho is supported in the reporting by similarities between BusySnake Stealer and the group’s previously used tools Go2Tunnel and AquilaRAT, including reverse SSH tunneling functionality, handler-based task execution, similar C2 patterns, and scheduled-task persistence masquerading as legitimate Microsoft utilities. Known aliases and related naming in the content are Armored Likho and Eagle Werewolf.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 malware families attributed to this actor across reporting.
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
41 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting phishing-led espionage and financially motivated intrusions using BusySnake Stealer, reverse SSH tunneling, credential theft, cookie theft, document exfiltration, and remote control against government and electric power sector targets.
Conducting phishing-led intrusions against government organizations and the electric power sector while also carrying out financially motivated attacks on private users. The group uses modular RAT/stealer tooling, including the newly described BusySnake Stealer, and remote-access/tunneling capability similar to Go2Tunnel.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.